CIP v7 and the Final (?) Compliance Schedule for CIP v6.3940

My initial birth
announcement for CIP v7 only referred to twins – that is, at the time it
looked like only two CIP v6 standards would be revised to v7, CIP-003-6 and
CIP-010-2; they will now be CIP-003-7 and CIP-010-3. However, in their never-ending quest for
perfection, the SDT decided that three other requirements also needed to be
revised: CIP-004-6, CIP-007-6 and CIP-011-2; these will now become CIP-004-7,
CIP-007-7 and CIP-011-3.[i] In addition, the Implementation Plan and two
Definitions documents (for the Low impact requirement changes) are also
changing. This means there are now eight
documents that need to be approved for CIP v7; instead of giving birth to twins, NERC is the Octomom. We’ll all have to pray for a
successful delivery.

First
Things First

The first thing I want to do in this post is
to update my recent post
in which I designated the new compliance version of CIP – that is, the version
you’ll actually have to comply with – to be v5.7879 (there was actually an
infinitely repeating decimal, 5.78787878….
I decided this wouldn’t work too well in compliance documentation, so I
rounded it off). Little did I know that
less than three weeks later I would have to change that number.

I can’t use the same algorithm to compute the
new number, since that assumed there were only going to be two versions of the
CIP standards to comply with at one time.
Silly me, I once again underestimated NERC’s ability to make everything
as complicated as possible – as you can see, the industry now has three
versions to implement simultaneously.[ii]

So I’ve come up with a new algorithm: I
multiply the number of requirements in each version (7 in v5, 6 in v6 and 20 in
v7) by the version number (5, 6 or 7) and divide their sum by the total number
of requirements (33). This yields
6.39393939…, which I’ll round off to 6.3940 just because I’m that kind of
guy. So this is the new compliance version:
6.3940! I won’t be so bold as to say
this time that this isn’t likely to change, since I thought that before. I wouldn’t be at all surprised if some new
glitch causes the SDT to have to revise one or more of the v7 standards; that
will yield – are you sitting down? – CIP v8!
Speaking of which, maybe I’ll have a V8™ now.

What
Has Changed?

The second thing I want to do is discuss the
changes that are in the new v7 standards and the other three documents. Briefly
(or as brief as I can be, which isn’t saying much), here are the substantive changes
(you can find the documents here):

Implementation
Plan: The substantive change here is that the
compliance date for CIP-003-7 Attachment 1 Section 2 (physical access controls
for Low impact assets) has been pushed back from April 1, 2018 to Sept. 1,
2018.

CIP-003-7: The
changes from v6 are some wording changes in Attachments 1 and 2, and a lot of
changes in the Guidance; of course, there are more substantial changes from v5,
since this standard now includes the Low impact requirement changes ordered by
FERC.

CIP-004-7: There
has been a change in one requirement part, minor VSL changes, and a few new
sentences in the Guidelines and Technical Basis section. All of these changes are related to the new
requirement for Transient Electronic Devices and Removable Media.

CIP-007-7: There
are small VSL changes and two sentences in the Guidance (again, all related to
Transients).

CIP-010-3: From
v6, there are changes in the VSLs, Attachments 1 and 2, and the Guidance. The big change from v5 is the requirement for
Transient Electronic Devices and Removable Media, CIP-010-3 R4.

CIP-011-3: The only
change in this standard is in the Guidance section.

Definitions: CIP
v6 had two documents with new Definitions, related to the new Low impact
requirement. These definitions have been
tweaked some.

The
New Implementation Schedule

As I mentioned above, there has been one
change to the implementation schedule.
Therefore I revised my recent post
on the schedule for CIP v5.7879, which I'm now calling 6.3940 of course. So please go there to get
the Final (???) implementation schedule for CIP v6.3940.

The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.

[i]
This leaves only two standards proudly bearing the CIP v6 designation: CIP-006-6
and CIP-009-6; this is down from eight v6 standards a week ago. My, how the great have fallen!

[ii]
I’ve come to believe that some NERC managers’ bonuses are based on their
ability to make things as complicated as possible. This would perhaps explain why we’re seeing
this sudden flurry of complicating activity toward the end of the year – the managers
are panicking as they suddenly realize NERC CIP compliance isn’t quite as
complicated as it could possibly be. I
must say, if my suspicion is true, these managers have richly deserved their bonuses
this year! I never thought it could be
this complicated.